If you lived your life based on what you read about crime in the daily papers, you wouldn't get out of bed in the morning.
The same is true of much of what we're seeing on web security. Web insecurity is news, and web security isn't, despite the fact that online commerce is the fastest growing marketplace on earth - both consumer and business-to-business - and we're in one of the slowest economies in recent memory.
The biggest mistake IT professionals make in assessing web security is focusing on the challenge and not looking at the business opportunity. All technologies have risks that need to be managed against their business impact. The job of the IT professional is identifying and then minimizing this risk in a way that allows us to introduce new technologies that drive business performance.
Another common error is imagining that security was bullet proof before the web started to take over. Fifteen years ago, business was conducted largely by phone and physical transaction, and criminals found ways to tap phones, overhear conversations and steal physical data. No IT security system in the world is stronger than its weakest link, which is the human being. As business moves to the web, we face new security risks, but they are being offset by the huge gains in market speed, enhanced customer service, expanded customer base, higher productivity and lower operating costs. There is no turning back.
So, the real issue today is maximizing the effectiveness of web technology as we reduce risk, and this is happening to a greater degree than most people realize. In any web transaction, business needs to manage several challenges. The enterprise needs to identify who its users are, what they should be allowed to do, and what policies will drive business decisions. These policies, for example, have to define the rights of different types of users - customers, employees, suppliers and business partners.
As we build greater enterprise security, we need to make sure that this added protection integrates easily and flexibly across the business and is easy to deploy and manage. For example, as employees enter and leave the business, IT administrators need to be able to update online access rights without having to recode multiple applications for each employee. Right now, with employee turnover rates approaching 100 percent in some industries, it's so costly and complex to manage security across diverse systems and applications that many employees have access rights to corporate systems they shouldn't have because these rights are outdated, and 20 percent of corporate system accounts belong to employees who haven't worked for the company for five years or longer.
Ease-of-use, flexibility and economy also need to be built into the way we manage web commerce risk. Today, the customer is asked to provide several layers of information for authentication - an ID, password, credit card number, and possibly other identifying information like the customer's date of birth or address. If this information checks out with the credit card company and the business, the customer is allowed to complete the transaction.
Retailers and credit card companies are working on additional layers of protection to weed out the bad guys, but the limiting factor is ease-of-use. These protections cannot make online shopping so onerous that nobody will want to do it. Of course, it's possible for criminals to obtain information online, just as they can forge credit cards and obtain credit card numbers to make illegal purchases in-store and through call centers. And you don't have to come up with a valid ID or password to make an illegal physical purchase.
The next step in improving online security may be biometrics, which identifies users based on their physical characteristics. We use biometrics to a degree now with digital photos of users on driver's licenses and credit cards. The Internet will allow us to digitize additional physical characteristics - for example, using a finger or palm print or retinal scan. As we improve biometrics, the test of this technology will be its cost-effectiveness, along with how it squares with the equally important business imperative like protecting consumer privacy and trust.
So, will the web ever be secure? Based on where we've been and where we're headed, we have every right to expect the web to become increasingly secure as security continues to enable rather than strangle business performance.
Peter Jopling is business unit manager, IBM Tivoli Security (www.tivoli.com).